They could have deprecated/removed both deployment methods two versions of Java ago and the world would not have been worse off... Even better yet, I think Java as a language would be more popular if they had, with Java browser plugins giving Java security such a bad name.

I don't understand how this is "Oracle kills webstart" at all. From the "article":

Quote

With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology.

It sounds like Oracle is simply saying that people should migrate from Applets to Web Start, which isn't news to anybody. The news is that applets will be deprecated in Java 9.

I just wanted to make sure, because killing applets isn't really a big deal, since existing applications can pretty easily just move to Web Start. If Web Start is being killed, that's a whole different story.

Just wanted to know how much of a panic I should incite at my day job on Monday morning...

Even if the client has a pre-installed JVM and the browser allows the download of the webstart jnlp file, webstart won't launch your game unless you've purchased a certificate and signed your game files with it which is prohibitive for most of us hobbyist developers.

I stopped using applets in 2006 and I dropped Java Webstart one or two years ago mainly because of the obligation of using "trusted" certificates even though there are some ways to work around this limitation as ziozio suggested. It's possible to obtain some free of charge "trusted" certificates but you have to renew them often and/or you have to provide something in return (sometimes filling some surveys).

Some Java developers use the free of charge and easy to renew "trusted" certificates provided by Let's encrypt with Jetty, it seems to be possible to use it with Java Webstart too, this is the least annoying solution that I have to suggest if you really want to go on using Java Webstart. Otherwise, consider IzPack, PackR, JarMatey, OneJAR, GetDown, JNDT (my own tool), ...

P.S: Java Deployment Toolkit is blocked in Mozilla Firefox, it helps to get the right version of Java for a user’s system. The current situation drives Java Webstart less usable as if you use it without JDT, it won't work if the right version of Java isn't already installed which often happens especially since Oracle installs a tool bar (from Ask.com, Yahoo and now Amazon) by default.

To be honest, I think any Java application that can be run from a browser is just too insecure to ever be a success. Either you get stringent security which is too much bother for many users, or any malware creator gets a free pass to basically do anything whenever someone visits a website. Java is not sandboxed enough for that (like many other languages). Now if you were to use Google Web Toolkit or something like it, you could compile your Java code to Javascript, which runs in a more secure sandbox. Like LibGDX supports when deploying to web. If you want to deploy on the web you'd better look into that route, I think.

The hidden flaw is this: Sandboxed applets were theoretically safe, but sometimes compromised by bugs.Web start applications, or any other means to download and run a program is guaranteed to be unsafe.

So by training users to switch from mostly safe to a guaranteed unsafe software, you are makingthem less secure, not more.

IMO the ongoing deprecation of applets is more about oracle washing their hands of the problemthan about real security.

java-gaming.org is not responsible for the content posted by its members, including references to external websites,
and other references that may or may not have a relation with our primarily
gaming and game production oriented community.
inquiries and complaints can be sent via email to the info‑account of the
company managing the website of java‑gaming.org